Validating entered user data

views:

answers:

+3 Q:

Validating entered user data

Hello,

this is a general question but I do a desktop application.

Should I check for example the firstname exceeding 50 chars or is this a matter of taste?

Or should I check for > 50 chars because the user could flood my database with 10000000 chars ?

EDIT:

Seems I made the ball rolling... I should have said, that the firstname/lastname in my desktop app are from pupils a teacher enters...

so 50 chars is more than enough entering "Michael" and "Kramer" don`t you think? ;-)

+1 A:

You should always validate your input data. If nothing else, I assume that your database field is a set field so you should the stop the user from entering longer strings since you can't store them so too long names would probably throw an error of some kind when the DB insert fails.

ho1 2010-05-28 12:05:13

Not "probably". Will throw an error.

Cylon Cat 2010-05-28 12:09:41

@Cyclon Cat - Normally yes, but might depend on the DB, I have some vague memory of using some DB (or at least some kind of data store) that just truncated data.

ho1 2010-05-28 12:35:00

The ways of the world are many and varied, and while 50 characters seems like plenty for a WASP first name, I wouldn't go out on a limb and declare that there is nobody anywhere who doesn't have a longer one. Instead, I would make sure that my application never uses fixed length buffers ANYWHERE, so if somebody entered a first name that was 10,000,000 characters long, all that would happen is it would use a few more bytes than usual.

Paul Tomblin 2010-05-28 12:06:33

Like 10,000,000 bytes more

rdkleine 2010-05-28 12:15:39

What if you have to save it in a database? A `TEXT` field for names? 50 is definitely too short for a name, but 10,000,000 is probably a little bit too long.

MusiGenesis 2010-05-28 12:17:43

Not having fixed-width fields for text in a database would be a good start.

Williham Totland 2010-05-28 12:19:45

Also keep in mind that while most people don't have any single name much longer than 50 characters, they might have exceedingly many names. Consider, for example, Mr. Adolph Blaine Charles David Earl Frederick Gerald Hubert Irvin John Kenneth Lloyd Martin Nero Oliver Paul Quincy Randolph Sherman Thomas Uncas Victor William Xerxes Yancy Zeus Wolfeschlegelsteinhausenbergerdorft Senior. Not letting users enter their full name is an almost entirely terrible thing to do.

Williham Totland 2010-05-28 12:11:03

Not to mention prefixes and suffixes. If you don't allow for these, you may have last names like "Smith, Jr." or "Smith III".

Cylon Cat 2010-05-28 12:13:09

As well as titles and salutations, of course.

Williham Totland 2010-05-28 12:14:37

A multilevel validation strategy is usually appropriate.At the user level, don't allow anything that will cause errors later on. However, if you're relying on JavaScript validation, be aware that it can be bypassed easily. Your business and/or data layers should also validate before storing to the database. The same is true if you're sending data off to a service.

Client-side validation for usability. Server-side validation for reliability and integrity.

Cylon Cat 2010-05-28 12:12:04

All input is evil!

rdkleine 2010-05-28 12:14:09

Pithy. I like it.

Williham Totland 2010-05-28 12:16:28

ansaurus

tags:

views:

answers:

Validating entered user data

related questions